CVE-2025-21919

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> sched/fair: Fix potential memory corruption in child_cfs_rq_on_list<br /> <br /> child_cfs_rq_on_list attempts to convert a &amp;#39;prev&amp;#39; pointer to a cfs_rq.<br /> This &amp;#39;prev&amp;#39; pointer can originate from struct rq&amp;#39;s leaf_cfs_rq_list,<br /> making the conversion invalid and potentially leading to memory<br /> corruption. Depending on the relative positions of leaf_cfs_rq_list and<br /> the task group (tg) pointer within the struct, this can cause a memory<br /> fault or access garbage data.<br /> <br /> The issue arises in list_add_leaf_cfs_rq, where both<br /> cfs_rq-&gt;leaf_cfs_rq_list and rq-&gt;leaf_cfs_rq_list are added to the same<br /> leaf list. Also, rq-&gt;tmp_alone_branch can be set to rq-&gt;leaf_cfs_rq_list.<br /> <br /> This adds a check `if (prev == &amp;rq-&gt;leaf_cfs_rq_list)` after the main<br /> conditional in child_cfs_rq_on_list. This ensures that the container_of<br /> operation will convert a correct cfs_rq struct.<br /> <br /> This check is sufficient because only cfs_rqs on the same CPU are added<br /> to the list, so verifying the &amp;#39;prev&amp;#39; pointer against the current rq&amp;#39;s list<br /> head is enough.<br /> <br /> Fixes a potential memory corruption issue that due to current struct<br /> layout might not be manifesting as a crash but could lead to unpredictable<br /> behavior when the layout changes.